[SERVER-13513] Unauthorized user able to run show dbs Created: 08/Apr/14  Updated: 10/Dec/14  Resolved: 08/Apr/14

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Pratik Gadiya Assignee: J Rassi
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

Pre-requisite :

a. User in admin database
b. User in any other database

Steps:
1. Authenticate against admin database
2. Execute show dbs command to list all the databases in Mongo.As this is the admin user it has the privilege to list all the dbs.
3. Authenticate against other database containing different user
4. Execute show dbs command - This time it should give an error as local user for any other databases other than admin cannot list all the databases present in mongo

Participants:

 Description   

While switching between the users, the cache does not get refreshed automatically. It stores the first authenticated users privilege data.



 Comments   
Comment by Pratik Gadiya [ 08/Apr/14 ]

HI Rassi,

I used db.logout() command and now it is working fine.

Thanks

Comment by J Rassi [ 08/Apr/14 ]

Hi Pratik,

Are you running db.logout() on the admin database before step 4 in your repro? Note that MongoDB connections support authentication to multiple databases at the same time; an explicit logout is required in order to relinquish the privileges of the user logged into the first database.

~ Jason Rassi

Generated at Thu Feb 08 03:31:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.